SSH + Kerberos but WITHOUT DNS

Question

I was wondering if there's a way to set up SSH with Kerberos authentication without using a DNS server at all ?

score 3 · Accepted Answer · answered Feb 28 '14 at 06:04

You can avoid DNS by the following (assuming MIT Kerberos):

1) Give the KDCs in krb5.conf instead of locating them via SRV records, and do not do realm mapping via DNS TXT records:

[libdefaults]
dns_lookup_kdc   = no
dns_lookup_realm = no

[realms]
FOO.COM = {
    kdc = kdc.foo.com
}

2) Make sure all your hostname->address and reverse mappings are in your /etc/hosts file, and perhaps just disable the use of DNS for gethostbyname() etc. in /etc/nsswitch.conf.

I do not agree with the previous answer's claim that "compromise of the DNS infrastructure does not (directly) compromise the Kerberos infrastructure." Using SRV records to locate KDCs does not, since clients can authenticate the KDC (they share a secret with the KDC, or the KDC must present a valid certificate if PKINIT is used), and in any case a bogus KDC will just produce bogus tickets which won't work when used. But DNS name canonicalization and realm mapping can be hazards. A DNS spoofer can cause a client to acquire a ticket for a different service than the one it intends to contact (by changing the hostname portion of a "hostbased service" name, the most common) -- perhaps a service whose keys the attacker has previously compromised. Similar comments apply to realm mapping, though it's harder to take advantage of misleading the client regarding the realm.

score 1 · Answer 2 · answered Feb 18 '13 at 04:46

1

Sort of.

Kerberos will not work correctly unless the hosts can resolve each other properly. This is almost always done with a DNS server. Theoretically, however, it could be done by distributing a hosts file around to each machine that is going to be part of the Kerberos domain. This is almost certainly not what you want to be doing.

Why the opposition to the DNS server?

answered Feb 18 '13 at 04:46

Scrivener

3,106
1
20
23

Well from a security point of view, the DNS comes with a bunch of additional threats that I'd like to avoid. I'm deploying a secure grid infrastructure and not having a DNS is: - Avoiding DOS on the whole authentication system - Avoiding DNS poisonning - Avoiding DNS tunneling... Distributing a hosts file through an automated scp wouldn't do the trick ? Why? – mak Feb 19 '13 at 01:59
On the one hand, if your infrastructure has already been penetrated to the point where you are concerned about DNS poisoning, you have bigger problems. But it doesn't matter; the compromise of the DNS infrastructure does not (directly) compromise the Kerberos infrastructure. Keys will not match hostnames, and it'll spit out a ton of errors at you. – Scrivener Feb 19 '13 at 02:08

score 1 · Answer 3 · answered Feb 28 '14 at 08:19

1

I can't add comment yet due to my reputation and the question has been answered.

But if standard DNS is a security problem for you, maybe you can take a look at DNSSEC: http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions

answered Feb 28 '14 at 08:19

Brice

210
2
11

SSH + Kerberos but WITHOUT DNS

3 Answers3